The payments regulation roadmap: Q2 2025
April 14, 2025
No Comments
Your quarterly overview of the key regulatory changes impacting payments—what’s happening, what’s coming, and what actions to take
14 April 2025
by Payments Intelligence
What is the roadmap about?
It provides a structured view of the regulatory developments set to shape the payments sector from Q2 2025 onwards—across the UK, EU, and international markets.
Why is it important?
Understanding what’s coming allows payments firms to mitigate risk, meet compliance obligations, and capitalise on strategic opportunities in a shifting regulatory environment.
What’s next?
Immediate focus areas include fraud prevention, ISO 20022 readiness, and stablecoin regulation—but longer-term success depends on active engagement with consultations, operational resilience, and global alignment.
The payments landscape is entering a defining phase of regulatory transformation. Across the UK, EU, and international markets, new rules are recasting expectations around security, transparency, and accountability—impacting not only compliance obligations but how firms design services, manage risk, and deliver value to customers.
This Payments Regulation Roadmap for Q2 2025 provides a high-level yet actionable view of the key developments shaping the sector. It distils complex legislative changes into strategic insights, outlining what’s in force, what’s imminent, and what demands forward planning. From reforms in fraud prevention and financial promotions to stablecoin oversight and operational resilience, the agenda is broad and accelerating.
What unites these developments is a clear directional shift: towards stricter standards, faster implementation timelines, and greater scrutiny across all points of the payment value chain. Meanwhile, broader systemic reforms—from ISO 20022 and open finance to the long horizon of a digital pound—require coordinated internal response and sustained regulatory engagement.
This roadmap is designed to support decision-making at both strategic and operational levels. It flags high-impact developments, clarifies their implications, and offers a clear line of sight on where regulatory attention is heading. Legal risks, operational exposures, and governance expectations are highlighted throughout, alongside next steps to support timely action.
Use this roadmap to guide strategic planning, align internal functions, and ensure your organisation remains responsive in a fast-moving and increasingly complex regulatory environment.
The Economic Crime and Corporate Transparency Act 2023 introduces a new, far-reaching corporate offence: failure to prevent fraud. Under this provision, large organisations can be held criminally liable if they do not have reasonable procedures in place to stop fraud committed by their employees, agents, or subsidiaries where the intent was to benefit the organisation or its clients. Crucially, liability applies even if senior management was unaware of the misconduct — signalling a clear shift towards proactive prevention over reactive enforcement.
The FCA’s final guidance, expected in April 2025, sets out the regulator’s expectations for what constitutes “reasonable procedures.” This includes undertaking robust fraud risk assessments, embedding tailored internal controls, and delivering ongoing staff training. Firms are also expected to maintain proper oversight mechanisms and ensure that anti-fraud policies are proportionate, dynamic, and integrated into business-as-usual operations.
This new offence aligns with a broader regulatory trend: increasing corporate accountability for financial crime prevention. It mirrors existing offences in anti-bribery and tax evasion, but with a sharper focus on consumer protection and market integrity. Firms must now take a strategic approach to fraud risk, ensuring that prevention measures are not only documented, but demonstrably effective. Failure to do so could result in prosecutions, financial penalties, and serious reputational harm.
Organisations may face criminal liability if they fail to implement adequate fraud prevention measures, even if senior management is unaware of the fraudulent activities. The offence applies to large organisations meeting specific criteria, including employee count and financial thresholds.
The UK’s financial promotions regime was significantly expanded on 8 October 2023, when the Financial Conduct Authority (FCA) brought qualifying cryptoassets within scope of its financial promotion rules. This regulatory shift aims to strengthen consumer protection and curb misleading or irresponsible marketing in the high-risk cryptoasset sector.
Under the rules, any promotion of cryptoassets to UK consumers must be clear, fair, and not misleading, and must be either approved by an FCA-authorised firm or communicated by one directly. These requirements apply across all media — including websites, mobile apps, social media, referral programmes, and influencer content — effectively closing loopholes previously exploited in crypto advertising.
Although the rules are already in effect, the FCA’s supervisory focus is expected to intensify during Q2 2025, with greater scrutiny of compliance practices and a likely uptick in enforcement actions. For payment firms offering crypto-related services, the compliance burden is immediate and ongoing. Firms must ensure their promotions meet the required standards, supported by robust internal approval processes, monitoring systems, and clear documentation to demonstrate adherence. Failure to do so could result in regulatory sanctions, reputational damage, and restrictions on business activities.
Payment firms engaging in financial promotions for cryptoassets must now comply with the FCA’s stringent standards. Non-compliance can result in enforcement actions, including fines and restrictions on business operations. Firms must ensure that their promotional materials meet the required standards to avoid legal repercussions.
The transition to ISO 20022 for cross-border payments is a fundamental shift in global financial messaging standards. It introduces a richer, more structured data format for payment messages, designed to enhance interoperability, increase efficiency, and reduce ambiguity in financial communications. While the phased rollout began in March 2023, the industry is now entering a critical phase: final testing, operational readiness, and counterpart alignment ahead of the mandatory adoption deadline on 22 November 2025.
For payment firms and financial institutions, this is far more than a technical upgrade. Delayed preparation may result in incompatibility with global payment systems, transaction failures, data truncation, and increased regulatory scrutiny. Institutions that are not fully prepared risk being locked out of clearing and settlement infrastructure, impacting both operational resilience and client service delivery.
ISO 20022 also unlocks improvements in fraud detection, regulatory reporting, and data analytics. But these benefits hinge on completing system upgrades, automation, staff training, and governance enhancements well before the deadline. With Q2 2025 marking the final window for operational readiness, firms must act now to ensure they are not caught flat-footed as the transition enters its endgame.
Failure to adopt ISO 20022 by the mandated deadline may result in operational disruptions, reduced interoperability with global payment systems, and potential non-compliance with international payment processing standards. Financial institutions that do not transition to ISO 20022 risk being unable to process cross-border payments efficiently, leading to competitive disadvantages and possible regulatory scrutiny.
The Payment Systems Regulator (PSR) has raised significant competition concerns around cross-border interchange fees applied to online card transactions between the UK and the European Economic Area (EEA). Following the UK’s departure from the EU, the caps that previously limited these fees no longer apply. As a result, major card schemes have sharply increased their charges—with debit card fees rising from 0.2% to 1.15%, and credit card fees jumping from 0.3% to 1.5%.
These increases have drawn criticism from UK merchants and consumer advocacy groups, who argue that the higher fees are unjustified and ultimately passed on to end users. In response, the PSR has proposed reintroducing caps on these fees to restore competitive balance, support UK businesses, and protect consumers. The regulator is currently engaged in stakeholder consultations, with final rules anticipated in late 2025.
For payment firms, the proposed changes present both strategic and operational implications. Businesses may need to adjust pricing models, renegotiate merchant agreements, and prepare systems to accommodate potential fee structure changes. Active participation in the consultation process will be key to anticipating the impact and shaping future compliance strategies.
The substantial increase in cross-border interchange fees—rising from 0.2% to 1.15% for debit cards and from 0.3% to 1.5% for credit cards—has raised concerns about the lack of competition and the potential harm to UK merchants and consumers. The PSR’s proposed price caps aim to address these issues; however, payment firms must prepare for regulatory changes that may impact their fee structures and revenue models.
The UK government is progressing rapidly toward a comprehensive regulatory framework for cryptoassets, with a particular emphasis on stablecoins and their use in payment services. In late 2024, HM Treasury confirmed its intention to move away from a phased approach and instead pursue a holistic, full-scope model. This regulatory shift aims to deliver greater consumer protection, financial stability, and market integrity across the evolving digital asset sector.
Under the forthcoming framework, stablecoins used for payments will fall squarely under the FCA’s regulatory perimeter. These assets will be subject to standards akin to those applied to traditional payment service providers, covering areas such as capital requirements, governance, operational resilience, and anti-money laundering (AML) compliance. Firms involved in issuance, custody, or facilitation of stablecoin payments should expect heightened scrutiny and ongoing supervision.
For firms operating in or entering the crypto space, this signals a decisive regulatory pivot. While it introduces greater clarity and legitimacy, it also brings significant compliance responsibilities. With final rules anticipated in late 2025 or early 2026, firms should act now to align internal policies, upgrade systems, and engage with FCA consultations to shape and anticipate the future regulatory environment.
The forthcoming regulations will introduce new compliance requirements for firms involved in cryptoasset activities, including stablecoin issuance and related payment services. Firms must prepare for obligations concerning consumer protection, market integrity, and financial stability. Non-compliance could result in legal penalties, operational restrictions, and reputational harm.
The UK is evolving its digital finance ecosystem by transitioning from open banking to a broader and more ambitious open finance framework. While open banking has enabled consumers to share current account data with authorised third parties, Open finance extends this model across a wider range of financial products—including mortgages, pensions, savings, insurance, and investments. The aim is to empower consumers with greater control over their financial data, improve transparency, and unlock more personalised, competitive financial services.
This transition is being steered by the Joint Regulatory Oversight Committee (JROC), which is developing a roadmap for implementation, building on lessons learned from open banking. Open finance will require a more coordinated regulatory approach, enhanced data sharing infrastructure, and clearer consumer consent mechanisms. The emphasis will be on ensuring data portability, robust privacy protections, and secure third-party access.
For payment firms and financial institutions, open finance presents both a strategic opportunity and a compliance challenge. Firms must prepare for new rules around data access, sharing protocols, and liability frameworks. They’ll also need to evaluate internal capabilities for data management, customer authentication, and API performance. Engaging early in industry consultations and technology pilots will be key to shaping standards and staying competitive as this future unfolds.
As the open finance framework develops, financial institutions must navigate new regulatory requirements concerning data sharing, consumer consent, and data protection. Ensuring compliance with these evolving regulations is crucial to avoid legal penalties and maintain consumer trust.
The Bank of England is moving to broaden access to its real-time gross settlement (RTGS) system, with reforms designed to increase competition, support innovation, and improve financial stability. This work has particular relevance for non-bank payment service providers (NBPSPs) and foreign banks, as highlighted at Pay360 by Victoria Cleland, Executive Director for Banking, Payments and Innovation.
The programme sets out four priorities. These include enhancing the joint Bank/FCA process for NBPSPs seeking RTGS access, increasing transparency for foreign banks considering participation, clarifying requirements for Financial Market Infrastructures (FMIs), and reviewing the CHAPS direct participation threshold. New guidance and revised onboarding procedures are being implemented, with a view to easing entry and supporting safe growth among new participants.
These changes form part of a broader push to improve access to central bank money settlement and align with international efforts—such as the G20 cross-border payments roadmap—while reinforcing UK payment system resilience.
Payment firms without access to RTGS may face structural disadvantages, including reduced resilience, reliance on intermediaries, and exposure to onboarding delays under current thresholds.
The European Accessibility Act (EAA) is a key piece of EU legislation aimed at improving the accessibility of a wide range of products and services for people with disabilities across member states. Adopted in 2019, the EAA introduces a common set of accessibility requirements that apply to sectors including digital banking, e-commerce, and payment services. The objective is to remove barriers to access and ensure that essential services are inclusive, supporting the rights of people with disabilities to participate fully in economic and social life.
For payments firms, the EAA is particularly relevant to customer-facing products such as payment terminals, mobile apps, online banking platforms, ATMs, and customer service interfaces. These systems will need to meet specific technical standards related to usability and accessibility—for example, supporting screen readers, providing clear navigation structures, and ensuring compatibility with assistive technologies. The aim is to ensure that consumers with varying physical, cognitive, or sensory impairments can use payment services independently and with confidence.
The deadline for compliance is 28 June 2025, meaning firms that operate or serve customers within the EU must ensure their offerings meet the new accessibility requirements by this date. While national governments are responsible for transposing the Act into domestic law and for monitoring enforcement, the harmonised approach across the EU aims to simplify compliance for cross-border service providers. For payments leaders, the EAA represents a broader shift toward inclusive design and customer-centricity, aligning closely with digital transformation and ESG objectives.
Non-compliance with the European Accessibility Act may result in enforcement actions by national authorities, including fines, product withdrawal from the market, or restrictions on service delivery within the EU. It can also expose firms to legal challenges and reputational damage for failing to meet mandatory accessibility standards.
The Bank of England is continuing its multi-phase assessment of a central bank digital currency (CBDC), referred to as the “digital pound.” The project is currently in its second phase, focused on design, feasibility, and experimentation. This includes evaluating infrastructure models, privacy standards, and use cases in collaboration with technology providers and payment firms through the Digital Pound Lab.
While early communications suggested a potential launch later this decade, recent public statements from the Bank indicate a longer horizon. At the PAY360 conference in March 2025, Diana Carrasco, head of the digital pound at the Bank of England, stated that the digital pound should not be expected before 2033—representing the first official indication that a launch is unlikely within this decade. This update significantly recalibrates industry expectations and planning assumptions.
For payment firms, a retail CBDC still represents a major prospective shift in the financial landscape—introducing new competition in the form of central bank-issued money, and requiring firms to adapt their onboarding, wallet infrastructure, and data frameworks. Continued participation in the Bank’s engagement initiatives remains critical to ensure preparedness as the design phase evolves.
The long-term introduction of a digital pound raises legal and policy questions, including alignment with existing financial regulation, data protection standards, and implications for deposit-taking institutions. Firms will need to consider potential operational and strategic impacts well in advance of any launch.
Although the FCA’s Consumer Duty formally came into effect for open products and services on 31 July 2023, and for closed products and services on 31 July 2024, its importance continues well into 2025 and beyond—particularly for payment firms. This is not a one-and-done compliance exercise; the Duty is designed to be dynamic and evolving, with the FCA undertaking continuous supervisory engagement to ensure firms not only meet the letter of the regulation but also embed its principles into everyday practice.
The Duty sets a higher bar for consumer outcomes, requiring firms to act in good faith, avoid foreseeable harm, and support customers in achieving their financial objectives. For payment firms, this means re-evaluating product design, communications, support services, and value delivery—not just once, but on an ongoing basis. The FCA has made clear that superficial compliance will not suffice, and firms should expect increased scrutiny of their customer journey, data insights, and decision-making frameworks.
With a mid-2026 review expected, payment firms must treat the Duty as a strategic imperative—ensuring it is fully operationalised across business lines and supported by meaningful evidence of consumer-focused outcomes.
Payment firms that fail to embed the Consumer Duty risk regulatory enforcement, including fines and reputational harm. The FCA expects firms to continuously monitor and evidence how they deliver good consumer outcomes. Weak product governance, unclear communications, or failure to demonstrate fair value may be deemed non-compliant, even without direct complaints. As the Duty evolves, so too must firms’ oversight and response mechanisms.
The UK is preparing to transition its standard securities settlement cycle from T+2 to T+1, with implementation scheduled for 11 October 2027. This change will shorten the time between trade execution and settlement to one business day, bringing the UK in line with other leading markets such as the US and Canada, which are already moving to T+1. The shift is intended to reduce counterparty and systemic risk, improve capital and collateral efficiency, and enhance the overall resilience of financial markets.
While the policy rationale is clear, the operational implications are far-reaching. Firms will need to streamline post-trade processes, enhance settlement efficiency, and implement real-time data handling capabilities to meet the compressed timelines. Manual or fragmented processes will become increasingly untenable, placing greater reliance on automation, straight-through processing (STP), and near-instantaneous reconciliation.
T+1 also raises challenges around funding and liquidity management, especially for cross-border trades involving time zone differences or currency conversions. Market participants will need to reassess pre-settlement risk exposure, cut-off times, and operational resilience frameworks. With less room for error or delay, preparation must begin well in advance. Early investment in infrastructure and cross-industry coordination will be key to a successful transition.
The shift to a T+1 securities settlement cycle, anticipated by 2027, introduces legal and operational challenges for financial firms. Meeting the accelerated timeline will require upgrades to existing systems, greater automation of trade processing, and more agile liquidity management to ensure funds are available within the reduced window. Without these changes, firms face increased risk of settlement failure, operational disruption, and potential regulatory consequences. Early preparation will be essential to navigate the transition smoothly.
The Payment Services Directive 3 (PSD3) and the accompanying Payment Services Regulation (PSR) are significant legislative proposals from the European Commission, representing a comprehensive overhaul of the EU’s regulatory framework for payments and electronic money. While these reforms will have far-reaching consequences for firms operating within the EU, it is important to note that they currently have no legal effect in the UK. The UK Treasury is still considering its domestic approach to future payments regulation, following a consultation process that concluded in 2023. Until a formal response is published, UK firms should monitor EU developments closely but remain focused on the evolving UK framework. These reforms are designed to address the growing complexity of the payments ecosystem, technological innovation, and the emergence of new risks that were not fully anticipated under the existing PSD2 regime.
At their core, PSD3 and the PSR aim to enhance consumer protection, strengthen the security and integrity of payment services, and foster greater competition and innovation—particularly by levelling the regulatory playing field between traditional banks and non-bank payment service providers. A major structural change is the integration of e-money institutions into the broader payments regime, ensuring more consistent supervision and harmonisation across all entities offering similar services.
Additionally, the proposals introduce tighter controls on fraud prevention, with more robust requirements for strong customer authentication (SCA), incident reporting, and data transparency. In the context of open banking, PSD3 and the PSR seek to enhance access and interoperability while improving customer control over their financial data. These reforms will have wide-reaching implications for licensing, compliance, and operational strategy across the EU payments market.
The integration of e-money institutions into the PSD3 framework introduces new licensing and supervision requirements. Payment service providers must adapt to stricter fraud prevention measures and comply with enhanced strong customer authentication protocols.
The EU’s Digital Operational Resilience Act (DORA) came into force in January 2025 and introduces binding, cross-sectoral requirements for managing information and communication technology (ICT) risk across the financial services sector. Applicable to banks, payment firms, investment platforms, and ICT service providers, DORA marks a shift toward uniform resilience standards and regulatory oversight of critical third-party vendors.
DORA establishes a comprehensive framework for incident classification and reporting, digital resilience testing, and oversight of outsourcing arrangements. Firms must maintain robust risk management programmes that cover governance, continuity, and recovery — and ensure that all ICT service providers (including cloud providers) meet the new regulatory thresholds. DORA also introduces heightened expectations around board-level accountability and requires direct engagement with supervisory authorities in the event of major disruptions.
Firms with any regulated EU presence must comply fully with the regulation, regardless of group structure. For UK-based firms serving EU clients or operating subsidiaries in member states, these obligations may apply in parallel with UK requirements, creating potential cross-border complexity.
Non-compliance with DORA may result in supervisory action, fines, and reputational harm. Firms may also be exposed to operational failures or supply chain risks if critical ICT vendors do not meet DORA standards.
The EU’s Markets in Crypto-Assets Regulation (MiCA) is the most comprehensive crypto regulatory regime currently in force globally. Introduced to provide legal certainty and investor protection, MiCA covers the issuance and trading of cryptoassets and stablecoins within the EU and is being phased in throughout 2024–2025.
MiCA introduces licensing requirements for cryptoasset service providers (CASPs), conduct obligations, reserve requirements for stablecoin issuers, and market abuse provisions. By Q2 2025, more than ten firms are authorised under MiCA to issue stablecoins, including euro- and USD-denominated tokens. The framework is supervised by national competent authorities, coordinated at the EU level by the European Securities and Markets Authority (ESMA).
MiCA does not apply in the UK but is directly relevant to firms operating across the EU or targeting EU-based consumers. It also provides a reference point for the development of the UK’s own stablecoin regime, expected later in 2025.
Firms that issue, promote, or provide services in relation to cryptoassets in the EU without MiCA authorisation face legal penalties and market exclusion. UK firms must assess the territorial reach of their services and adjust operations to remain compliant.
This quarter’s regulatory agenda underscores the increasing pace and complexity of change in the payments sector. From EU-wide reforms under PSD3 and the PSR to the UK’s evolving approach to fraud prevention, crypto regulation, and consumer duty, the direction is clear: heightened expectations, broader scope, and a growing emphasis on accountability and operational resilience.
Firms that treat compliance as a strategic function (rather than a reactive obligation) will be better positioned to adapt as frameworks continue to shift. This means strengthening internal governance, investing in systems that can support regulatory agility, and embedding regulatory analysis into product and market planning. It also means anticipating where regulation is heading, not just responding to what’s already in place.
As we move further into 2025, regulatory initiatives such as ISO 20022 migration, stablecoin oversight, and open finance frameworks will demand sustained attention. With many rules still in development, firms should continue to monitor consultations closely and contribute to the shaping of future policy where possible.
For deeper insights into what’s expected in Q3 and beyond, including emerging issues, supervisory priorities, and implementation milestones, look out for the next edition of Payments Intelligence. It’s designed to help your teams plan with confidence, respond with precision, and stay ahead of regulatory change across the sector.
Your quarterly overview of the key regulatory changes impacting payments—what’s happening, what’s coming, and what actions to take
The Federal Reserve’s shift on crypto banking access raises new questions for payments, stablecoins, and the role of digital assets in finance.
Open finance is expanding data-sharing beyond banking, reshaping payments, lending, and financial services worldwide.
The Payments Association
St Clement’s House
27 Clements Lane
London EC4N 7AE
© Copyright 2024 The Payments Association. All Rights Reserved. The Payments Association is the trading name of Emerging Payments Ventures Limited.
Emerging Ventures Limited t/a The Payments Association; Registered in England and Wales, Company Number 06672728; VAT no. 938829859; Registered office address St. Clement’s House, 27 Clements Lane, London, England, EC4N 7AE.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
